Using showSigninToGetTokens from okta-signin-widget, after login fragment says response type not authorized by server

vnaves · December 9, 2019, 7:35pm

I have a bunch of apps in angular 1.x and no one on the company has any tribal knowledge on the way they were constructed.

So I am opting to use the CDN version of the Widget.

I have been following the docs on developer.okta.com

I setup a SPA app on the okta admin. It is using PKCE (kinda important for later on)

On my app, I am setting up Okta like this:

    let oktaSignIn = new OktaSignIn({
          baseUrl: "URL",
          clientId: "ID",
          authParams: {
            issuer: "URL/oauth2/default",
            responseType: ['token', 'id_token'],
            display: 'page',
            pkce: true,
            redirectUri: 'http://localhost:8080/session/callback'
          },
          el: '#okta-login-container'
    }
    oktaSignIn.showSignInToGetTokens(
              {
                clientId: "ID",
                pkce: true,
                redirectUri: 'http://localhost:8080/session/callback',
                getAccessToken: true,
                getIdToken: true,
              },
              function success(res) {
                console.log(res);
                oktaSignIn.authClient.token.parseFromUrl(
                  function success(tokens) {
                    // Save the tokens for later use, e.g. if the page gets refreshed:
                    // Add the token to tokenManager to automatically renew the token when needed
                    tokens.forEach(token => {
                      if (token.idToken) {
                
                        signIn.tokenManager.add('idToken', token);
                      }
                      if (token.accessToken) {
                        signIn.tokenManager.add('accessToken', token);
                      }
                    });
            
                    // Say hello to the person who just signed in:
                    var idToken = signIn.tokenManager.get('idToken');
                    console.log('Hello, ' + idToken.claims.email);
            
                    // Remove the tokens from the window location hash
                    window.location.hash='';
                  });
              },
              function error(err) {
                // handle errors as needed
                console.error(err);
              }
            );
            // });
          }
        }

So all that code does sign in and redirects to the callback no problem. The issue is that I am not getting any token back because I am getting this error as a fragment on the URL: error=unsupported_response_type&error_description=The+response+type+is+not+supported+by+the+authorization+server.+Configured+response+types%3A+%5Bcode%5D.

The thing is, I am not configuring the response type, if I do, the same error appears.

Bonus: the PKCE config on the widget is not picking up when I do a console.log(oktaSignIn),
oktaSignin.authClient.pkce = false

Anyone have any ideas on how I can get this to work?

andrea · December 9, 2019, 7:48pm

You’re planning to use PKCE flow for your sign on page, right? If so, you do not want to set responseType to [‘token’, ‘id_token’] in the OktaSignIn config.

The error you are seeing says that the OIDC authorization flow you are attempting to use is not available for the client application. If you only have Authorization Code flow (with PKCE) configured in Okta, then this error would be expected as, when you set responseType to [‘token’, ‘id_token’] you’re saying that you want to use Implicit flow instead.

Instead, you want your config to look more like the example in the Widget documentation, (making sure you still pass the clientId for your application and, in your case, including the ‘issuer’ in the authParams):

var signIn = new OktaSignIn(
  {
    baseUrl: 'https://{yourOktaDomain}',
    redirectUri: '{{redirectUri configured in OIDC app}}',
    authParams: {
      display: 'page',
      pkce: true
    }
  }
);

Also, the docs for the showSignInToGetTokens method indicates that, as long as you’ve configured everything as needed in the OktaSignIn config, you shouldn’t need to set clientId, pkce, or redirectUri a second time.

Can you try removing responseType from the OktaSignIn instantiation to see if that resolves the issue?

vnaves · December 11, 2019, 10:50pm

@andrea:
I’ve reduced the code as you suggested, same error.
when I change the Application config on Okta to be implicit then it works, but I want to use PKCE as suggested by Okta

dragos · December 12, 2019, 2:06am

Hi @vnaves

Can you please check under Admin >> Security >> API (or API directly if using Developer Console interface) >> Authorization Servers >> your authorization server >> Access Policies you have an access policy for your application that allows Authorization Code to be performed (inside the rule section)?

If you have this set, please email us at developers@okta.com in order to have this issue further investigated by one of our Developer Support Engineers.

vnaves · December 12, 2019, 4:55pm

@dragos I do have that setup that way, I’ll be emailing the developers, thank you

system · January 18, 2024, 12:42am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.